Invalid Cookie name causes stacktrace and can bring down lucee/tomcat

Description

We recently had a server become unresponsive over night, looking at the logs we've found some invalid cookies being sent which appear to be the cause

A request with an invalid cookie throws an uncaught IllegalArgumentException from the servlet container, followed by IllegalMonitorStateExceptions which cause either tomcat or lucee to become unresponsive.

the cookie in question looks to be intentionally malicious, and the request can be easily reproduced using curl

curl -v --cookie 'Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!=0' http://example.com

Environment

[root@### ~]# uname -a
Linux ###.team193.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@### ~]# java -version
openjdk version "1.8.0_45"
OpenJDK Runtime Environment (build 1.8.0_45-b13)
OpenJDK 64-Bit Server VM (build 25.45-b02, mixed mode)

Status

Assignee

Michael Offner

Reporter

Chris Blackwell

Labels

None

Fix versions

Affects versions

4.5.1.015

Priority

Blocker
Configure